Problem
Unable to get the secret which contains cacert and token of service accounts for Kubernetes version 1.24 and later. NetBackup requires a cacert and token of a backup service account for authorization and authentication of Kubernetes cluster.
Error Message
When you run the command kubectl get secrets -n <kops namespace>, then secrets are not automatically visible for backup and operator service accounts with NetBackup Kubernetes operator version 10.1.0 and earlier.
Cause
This happens because secret for service account is not automatically generated for Kubernetes version 1.24 and later.
From Kubernetes 1.24 version onwards, feature gate LegacyServiceAccountTokenNoAutoGeneration is enabled. This feature gate prevents automatic secret generation for service accounts.
See feature gates for an overview of the various feature gates.
Solution
Create secrets explicitly for the required service account of Kubernetes 1.24 and later versions with annotation as shown in the following yaml file. This workaround will be fixed in future version of NetBackup.
To confirm helm release name, use the command helm list -n <kops namespace> to obtain the Veritas NetBackup KOPS release name.
# helm list -n netbackup
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
veritas-netbackupkops netbackup 1 2023-02-22 09:35:07.800386561 -0500 -0500 deployed netbackupkops-helm-chart-10.x.x 10.x.x
- Create secrets with the below content.
apiVersion: v1
kind: Secret
metadata:
name: <kops namespace>-operator-secret
namespace: <kops namespace>
annotations:
kubernetes.io/service-account.name: <kops namespace>-operator
meta.helm.sh/release-name: <release name>
meta.helm.sh/release-namespace: <kops namespace>
labels:
app.kubernetes.io/managed-by: Helm
component: netbackup
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: Secret
metadata:
name: <kops namespace>-backup-server-secret
namespace: <kops namespace>
annotations:
kubernetes.io/service-account.name: <kops namespace>-backup-server
meta.helm.sh/release-name: <release name>
meta.helm.sh/release-namespace: <kops namespace>
labels:
app.kubernetes.io/managed-by: Helm
component: netbackup
type: kubernetes.io/service-account-token
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.